Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Key Trends That Fuel Phishing Inside an Enterprise

In this eWeek Data Point article, using industry information and data from GreatHorn, which specializes in cloud-native email security, we identify key trends fueling phishing’s success within the enterprise.

WEBINAR:On-Demand

As we increasingly connect personal email addresses with access to cloud services, web apps and SaaS-based systems, the security of old-fashioned but “killer app” email has become more important than ever. For example, think about all the times you log into a web application of some kind and use your IDs from Facebook, Google, Yahoo or LinkedIn, which are usually email addresses.

Despite the fact that enterprises have invested billions in cybersecurity training and point solutions, the problems aren’t going away anytime soon.

The FBI reported that business email compromise (BEC) attacks enabled cybercriminals to steal more than $12 billion from October 2013 to May 2018. In 2017, that represented 48 percent of all internet crime-driven financial loss. Meanwhile, Verizon’s latest Data Breach Investigations Report showed that despite an emphasis on security training, one in 25 people will respond to any given phishing attack – not surprising as they have become both highly targeted and more sophisticated.

In this eWeek Data Point article, using industry information and data from GreatHorn, which specializes in cloud-native email security, we identify key trends fueling phishing’s success within the enterprise.

Further reading

There is a stark difference in the average worker’s perception of email-based threats within the enterprise and the perception of security personnel. Two-thirds of non-security workers claim to never see any email threats besides spam, whereas 56 percent of security professionals see them at least weekly, in the form of impersonations, wire transfer requests, W2 requests, payload attacks/malware, business services spoofing, and credential theft.

The biggest challenge businesses face in email security is trust. Workers are clearly dismissing all unwanted messages as spam, and often mistakenly believe that their work email systems are inherently secure which makes them highly susceptible to phishing and social engineering attacks, especially as those attacks become more and more sophisticated.

The average business uses three separate email security solutions but there are some significant differences in security postures of businesses that use on-premises infrastructure versus cloud-first organizations.

On-premises companies were far more likely to use stand-alone anti-virus/anti-spam solutions, user awareness training and firewalls than their cloud counterparts. Meanwhile, cloud companies were far more likely to either use nothing, or simply “native cloud-email features.” Google, Microsoft and other cloud providers have significantly improved their security features but outsourcing the entire email security responsibility to cloud providers is a dangerous proposition, because cybercriminals have proven themselves capable of bypassing email filters and other anti-phishing technology.

Data Point Trend No. 3: Basic Email Threats are Pervasive

It’s not just ultra-sophisticated and personalized phishing attacks that reach workers: 1 in 6 see basic payload attacks bypassing their email security defenses, despite being arguably the most heavily guarded against threats. In addition, security professionals report the following:

19 percent report that they have weak or no remediation capabilities if an email threat reaches an end user;

So not only are rudimentary email threats successful, but the security strategies organizations use are impeding the business. Meanwhile, the lack of good remediation options built into email security strategies make it difficult to mitigate the damage.

Data Point Trend No. 4: Impersonations are Still Phishers’ Weapon of Choice

Overall, nearly half (46 percent) of all business professionals see executive, internal, or external impersonations, with that number jumping to 65 percent among email security professionals. Business services spoofing was the second most prevalent email threat respondents experience, followed by wire transfers, credential theft, and payload/malware.

Data Point Trend No. 5: Phishing Overwhelms Security Pros

Sixty-five percent of respondents reported fundamental technical issues with their existing email security solution. This figure, taken with the fact that two-thirds of email security professionals acknowledge that email threats make it past defenses and into inboxes, demonstrates the failure of the binary email security philosophy that has dominated the industry. It’s not reasonable to believe that enterprise can stop 100 percent of all potential threats while simultaneously delivering a low false positive rate. Enterprises should assume that some amount of malicious mail will always find a way to reach employees--regardless of the company’s security posture.

Data Point No. 6: Summary

Cybercriminals’ window of opportunity becomes a barn door if IT and security professionals aren’t implementing basic email security hygiene. Forty percent of business professionals need to routinely take significant remediation actions – such as Powershell scripts, shutting down compromised inboxes, etc. – to counter basic attacks that are delivered to their inbox.

A Sisyphean mindset has created complacency around how good email security can really be. Nearly half of all respondents (46 percent) were “less than satisfied” with their current email security solution, with only 10 percent indicating they were “very satisfied.” Senior-level executives agreed and were much more likely to be actively “dissatisfied” or “very dissatisfied” by their email security solution (20 percent compared to 12 percent for the general population).

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.